HOW TO TROUBLESHOOT CLIENT UPDATE/DEPLOYMENT FAILURES

HOW TO TROUBLESHOOT CLIENT UPDATE/DEPLOYMENT FAILURES

The ePO 5.9 and 5.10 install guides have a section in them for Troubleshooting and log file reference information.

NOTE: Always be sure the product versions you are installing are supported versions for the specific build of OS/platform you are installing on. KB51109 is the master KB for supported environments for our products.

Server (ePO or agent handler) logs can be located in ePO/AH install directory\db\logs folder. The server log will show push agent failures or other possible communication issues.

On the client side, the logs will be located in c:\programdata\mcafee\agent\logs folder.

Masvc log will show it getting the client task and invoking it (or failing to invoke at the scheduled time).

Macompatsvc log will show agent to point product communication failures.

Mcscript log will show the update process. For deployments, depending on agent version, there may be an mcscript_deploy log. Those are for product deployment tasks only, where the mcscript log will be for updates. If there is no mcscript_deploy log, then all updates and deployments will be in the mcscript log. Mcscript will show where the breakdown occurs and whether it is a repository issue, point product lpc communication failure with the agent, or a point product issue. Here are the steps it will go through.

Can it reach the repository and pull files from it? The log will show it downloading or failing to download files from a repository for one reason or another. A “not up to date site” means that it hasn’t been replicated to yet since new content was added to the master repository.

Once it gets the files from the repository, can the agent communicate with the point product to send the updates to? You may see “point product is not running” or a failure to find a qualifying product (or similar error). You may want to reinstall or upgrade the agent and/or point product in that case.

Once it gets past that point, in the case of deployments, you will see it running the setup for the point product. When the agent executes the setup files, then the agent part is done and successful. The failure then will be on the OS or point product.

C:\windows\temp\mcafeelogs folder will then contain the install logs for the point product to look at for troubleshooting those failures. At that point, you would go to that point product team for assistance.

Agent Deployment (Push Agent)

Review Server Task Log result and most importantly, server_servername.log (DB\Logs)

Keyword “push” in server.log – don’t forget that if multiple handlers exist in an environment, the push could be in a different server.log (when deploying, you can select the handler to use!)

Relies heavily on access to \\machinename\admin$ of endpoint. For all requirements and testing, see KB56386.

Injection

Injection can occur when third-party DLLs which either have untrusted certs or no certs at all load up with McAfee processes, like McScript_InUse.exe. In that scenario, updates will end up failing with curl error 28 (meaning a timeout) and will be seen in the McScript.log or the McScript_deploy.log.

This is due to McAfee Agent’s Self-Protection functionality – the self-protection rules are working as designed in this scenario – we WANT to prevent the process (McScript_InUse.exe, in this example) from successfully making network connections because it could be compromised by a potentially malicious file.

Run the sysprep tool first to see if there are any DLLs that it finds and trusts.

Updates

A common problem, “my DATs/AMCore isn’t updating” can have many unique causes but is generally troubleshot in the same three-step manner:

Reproduce the issue

It’s best to create and assign a new task (use an easily searchable name, like TestTask123). Remember that after assigning a new client task, the machine will have to communicate to receive the task (so send an Agent WakeUp or hit Collect & Send Props!)

Confirm the task invoked and note status

To see where and when a task started, review the masvc_machinename.log. Search the task name from the bottom up – the first thing you find should be the result of the task (if it has completed). For example:

Non-Windows Agent Guide

Keep in mind:

The McAfee Agent has separate packages for the different platforms. For example – a Windows package, a Linux package, etc. These packages must be checked in to the ePO Master Repository separately.

The McAfee Agent can still be deployed (Push Agents) to non-Windows platforms, however it works entirely differently. Since a Windows deployment utilizes Windows file sharing, obviously that’s impossible for non-Windows clients. Instead, SSH protocol is utilized (port 22 by default). Red Hat/centOS have specific requirements to enable deployment and is a common source of push failures on those platforms. See the McAfee Agent Installation Guide for details.

The Agent still has three services on non-Windows platforms: masvc, macmnsvc and macompatsvc.

Non-Windows platforms are case-sensitive when working in the terminal/command line. Be wary to make sure your cases match, otherwise it will appear that the locations you’re attempting to access do not exist.

Re: HOW TO TROUBLESHOOT CLIENT UPDATE/DEPLOYMENT FAILURES

You can set up automatic responses for sending notifications for failed updates (event id 2402) that can send an email. If you have a registered syslog server in epo, you can enable specific events for being sent to that syslog server under server settings, event filtering.

Was my reply helpful?If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.